topic Re: Global protect username tags in General Topics https://live.paloaltonetworks.com/t5/general-topics/global-protect-username-tags/m-p/195315#M58362 <P>well.... yes and no, then yes again...</P><P>&nbsp;</P><P>you can use RSA groups but only for auth level. so you could allow RSA Grouped users to actually use the authentication profile.</P><P>this will not populate to policies. this requires LDAP based group membership.</P><P>&nbsp;</P><P>as a workaround...&nbsp;&nbsp; if you have an LDAP server or use AD you can create groups that serve no other use than group membership and reference these to the matched usernames within RSA.</P><P>&nbsp;</P><P>it may be that your users are already on AD, this will be a win win situation.</P><P>&nbsp;</P><P>please note that this "group membership" will only apply to the PA that GP authenticates to, it will not work if the users traverse any other firewall with such policies.</P><P>&nbsp;</P><P>Mick.</P> Tue, 16 Jan 2018 15:32:20 GMT Mick_Ball 2018-01-16T15:32:20Z Global protect username tags https://live.paloaltonetworks.com/t5/general-topics/global-protect-username-tags/m-p/195295#M58355 <P>Hello all,</P><P>&nbsp;</P><P>I use RADIUS server for authenticating GP users. Is there a possibility to read tags sent by RADIUS server associated with user groups and palo could allow/deny specific users?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Jan 2018 13:33:01 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-username-tags/m-p/195295#M58355 SThatipelly 2018-01-16T13:33:01Z Re: Global protect username tags https://live.paloaltonetworks.com/t5/general-topics/global-protect-username-tags/m-p/195315#M58362 <P>well.... yes and no, then yes again...</P><P>&nbsp;</P><P>you can use RSA groups but only for auth level. so you could allow RSA Grouped users to actually use the authentication profile.</P><P>this will not populate to policies. this requires LDAP based group membership.</P><P>&nbsp;</P><P>as a workaround...&nbsp;&nbsp; if you have an LDAP server or use AD you can create groups that serve no other use than group membership and reference these to the matched usernames within RSA.</P><P>&nbsp;</P><P>it may be that your users are already on AD, this will be a win win situation.</P><P>&nbsp;</P><P>please note that this "group membership" will only apply to the PA that GP authenticates to, it will not work if the users traverse any other firewall with such policies.</P><P>&nbsp;</P><P>Mick.</P> Tue, 16 Jan 2018 15:32:20 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-username-tags/m-p/195315#M58362 Mick_Ball 2018-01-16T15:32:20Z